[Oisf-users] eve.json packet field not matching traffic

Jeremy MJ jskier at gmail.com
Tue Feb 28 20:30:15 UTC 2017


I typically just use scapy and the base64 python module for decoding,
although I believe eve2pcap is all python based too.

What method are using to capture packets?

--
Jeremy MJ


On Tue, Feb 28, 2017 at 2:07 PM, erik clark <philosnef at gmail.com> wrote:
> Yeah, its very strange. We are using eve2pcap which does a great job of
> converting it, but we noticed that some content in packet: is either
> truncated or outright wrong...
>
> On Tue, Feb 28, 2017 at 2:09 PM, Jeremy MJ <jskier at gmail.com> wrote:
>>
>> Did you decode the base64 properly? Also, I believe the packet field
>> is very limited with what you get in general.
>>
>> I don't seem to have your problem with 3.2 (feeding from rspan), but
>> it's definitely malformed with erspan captures (Bug #1526).
>>
>> --
>> Jeremy MJ
>>
>>
>> On Tue, Feb 28, 2017 at 7:28 AM, erik clark <philosnef at gmail.com> wrote:
>> > The content in eve.json for the packet field matches neither the payload
>> > nor
>> > the payload_printable, nor what I assume to be the other side of the
>> > transaction...
>> >
>> > Wat?
>> >
>> > Is this expected behavior? Also, the packet appears to be highly
>> > truncated.
>> > This is on suri 3.2. I believe I see the same behavior on suri 3.1.3 as
>> > well.
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> > http://suricata-ids.org/support/
>> > List:
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >
>
>



More information about the Oisf-users mailing list